From 64e3a4aab07547a9df2c32f2e30a7b60975d4c42 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:12:12 -0400 Subject: [PATCH] import mod_auth_mellon-0.14.0-12.el8.1 --- ...ent-redirect-to-URLs-that-begin-with.patch | 47 +++++++++++++++++++ SPECS/mod_auth_mellon.spec | 8 +++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch diff --git a/SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch b/SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch new file mode 100644 index 0000000..2c93c96 --- /dev/null +++ b/SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch @@ -0,0 +1,47 @@ +From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 +From: AIMOTO Norihito +Date: Tue, 6 Jul 2021 22:57:24 +0200 +Subject: [PATCH] Prevent redirect to URLs that begin with '///' + +Visiting a logout URL like this: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html +would have redirected the user to fishing-site.example.com + +With the patch, this URL would be rejected. + +Fixes: CVE-2021-3639 +--- + auth_mellon_util.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 2f8c9c3..6a686db 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) + { + const char *i; + ++ if (url == NULL) { ++ return HTTP_BAD_REQUEST; ++ } ++ + for (i = url; *i; i++) { + if (*i >= 0 && *i < ' ') { + /* Deny all control-characters. */ +@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) + } + } + ++ if (strstr(url, "///") == url) { ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "URL starts with '///'"); ++ return HTTP_BAD_REQUEST; ++ } ++ + return OK; + } + +-- +2.26.3 + diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index a844abb..7c46a7e 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 12%{?dist} +Release: 12%{?dist}.1 Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -30,6 +30,7 @@ Patch0005: 0005-CVE_2019_13038.patch Patch0006: 0006-Add-none-option-for-samesite.patch Patch0007: 0007-avoid-always-set-SameSite-cookie.patch Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch +Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated @@ -52,6 +53,7 @@ received in assertions generated by a IdP server. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build export APXS=%{_httpd_apxs} @@ -122,6 +124,10 @@ in the doc directory for instructions on using the diagnostics build. %attr(0755,apache,apache) %dir /run/%{name}/ %changelog +* Wed Dec 15 2021 Jakub Hrozek - 0.14.0-12.1 +- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect + vulnerability in logout URLs [rhel-8] + * Mon Jan 25 2021 Jakub Hrozek - 0.14.0-12 - Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to support latest browsers